Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable CILogon for binder-staging hub #1579

Closed
wants to merge 9 commits into from
Closed

Enable CILogon for binder-staging hub #1579

wants to merge 9 commits into from

Conversation

sgibson91
Copy link
Member

We had a cryptomining incident on the binder-staging hub on the 2i2c cluster so I am enabling CILogon so only those with 2i2c.org email addresses can access the hub for now

@sgibson91
Copy link
Member Author

sgibson91 commented Aug 1, 2022
edited
Loading

I deployed this but I don't think it's working as there isn't a login page

@sgibson91 sgibson91 self-assigned this Aug 1, 2022
@sgibson91
Copy link
Member Author

I actually may be missing some config:

@sgibson91
Copy link
Member Author

sgibson91 commented Aug 1, 2022
edited
Loading

I've got a really unhelpful error from the helm chart validation which I assume is related to the regex for username_pattern:

Error: failed to parse /home/runner/work/infrastructure/infrastructure/config/clusters/2i2c/binder-staging.values.yaml: error converting YAML to JSON: yaml: line 29: found unknown escape character

I tried using a double backslash but that didn't work

Update: Apparently the type of quotation mark matters for deployment, validation still failing though

@sgibson91
Copy link
Member Author

Config still not working though. Getting a 500 internal error

GeorgianaElena
GeorgianaElena reviewed Aug 1, 2022
View reviewed changes
config/clusters/2i2c/binder-staging.values.yaml
- http://google.com/accounts/o8/id:
username_derivation:
username_claim: "email"
username_pattern: '^(.+@2i2c\.org|deployment-service-check)$'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgibson91, maybe adding the username_pattern under hub.config.Authenticator like in

infrastructure/config/clusters/2i2c/dask-staging.values.yaml

Lines 50 to 55 in 22c4423

Authenticator:
# We only want 2i2c users to sign up
# Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216
username_pattern: '^(.+@2i2c\.org|deployment-service-check)$'
# Delete any prior existing users in the db that don't pass username_pattern
delete_invalid_users: true
?

When I made the suggestion of adding it here, I assumed it would work this way too, since CILogonOAuthenticator is inheriting from the base Authenticator

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, will try that

I also seem to have acquired two instances of username_claim like this:

        CILogonOAuthenticator:
          oauth_callback_url: "https://binder-staging.2i2c.cloud/hub/oauth_callback"
          username_claim: "email"
          allowed_idps:
            - http://google.com/accounts/o8/id:
                username_derivation:
                  username_claim: "email"

I'm assuming one of these is wrong?

@sgibson91
Copy link
Member Author

This config is completely busted and I don't know why. On the upside, the hub is unusable, cryptominers or no

@sgibson91
Copy link
Member Author

I killed the proxy-public service to make the whole hub go away and I'll disable updates in CI so that we don't bring it back up with another merge

@sgibson91 sgibson91 marked this pull request as draft August 1, 2022 15:32
This was referenced Aug 1, 2022
Merged
Closed
@GeorgianaElena GeorgianaElena mentioned this pull request Aug 2, 2022
Merged
@sgibson91 sgibson91 mentioned this pull request Jan 6, 2023
Closed
6 tasks
This was referenced Mar 21, 2023
Closed
Merged
@GeorgianaElena
Copy link
Member

This was incorporated in #2393

@sgibson91 sgibson91 deleted the cilogon-binder branch April 13, 2024 09:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GeorgianaElena GeorgianaElena GeorgianaElena left review comments

Assignees

@sgibson91 sgibson91

Labels
None yet
Projects
No open projects
Sprint Board
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sgibson91 @GeorgianaElena